In the world of information security, compromises are inevitable. Organisations need to face the fact that determined attackers will eventually get in.
It may be because of a vulnerability in the network perimeter, maybe a zero-day exploit, or a combination of phishing emails carrying custom malware and social engineering or maybe even through gaining physical access. A single compromise should never mean game over for the organisation.
Attackers tend to follow certain patterns in order to move towards their objective, which means there are a number of opportunities for organisations to catch them out before it becomes a headache.
For instance, a typical attack starts with the attacker gathering information on the organisation to enable them to conduct a targeted phishing campaign and compromise employees’ workstations in order to get an initial foothold. They can then leverage this position to move laterally into the network by compromising other user accounts and systems. From the attacker’s desired position within the network, data exfiltration/modification and finally sabotage such as DoS (Denial of Service) can take place.
Once these patterns are understood about how attackers gain a foothold and leverage that to reach their goal, it is possible to raise the bar of security efforts in order to make it more painful and expensive for attackers.
The application of prevention and hardening measures combined with effective intrusion detection and incident response can slow attackers down, force them down known paths and essentially make them “noisy” and more easily caught.
For example, let’s look at how hardening controls can be applied to spear phishing threats.
Phishing is essentially a form of social engineering and an important defence against this is user-awareness. This should be achieved via a training programme to be coupled with periodic phishing campaigns to assess users’ susceptibility to such attacks and keep them alert.
One key point is also to instruct users to report any suspicious email, as this will allow the security team to detect and respond to similar emails.
Further to the user aspect, for effective prevention/detection of phishing attacks it is important to also put in place solutions to filter email content.
For example, Sender ID or Sender Policy Framework (SPF) can be used to check for spoofed emails.
Email content can also be inspected to look for typical phishing patterns and, in particular, for links and attachments.
Such links and attachments can be automatically analysed within sandboxes to see if they expose suspicious behaviour and can be stopped before reaching the end user.
As far as host hardening is concerned, some controls can be implemented to raise the bar and make it more difficult for the attacker to gain control of a users’ workstation. Phishing emails will often contain a piece of malware in the form of an attachment or link to a malicious website that will allow the attacker to establish a Command&Control (C2) channel.
Anti-viruses, although useful against generic attacks, won’t provide effective protection against targeted attacks, as attackers usually rely on custom malware that’s been specifically engineered to bypass AV detection.
An effective control that can be implemented is application white-listing: this will prevent users from running unwanted software that’s not been authorised, including executables and scripts attached to emails. Other control examples that can be implemented include restricting the types of attachments that are allowed, thus preventing executables.
However effective, application white-listing is no silver bullet and there are other methods attackers can use to run malware. For instance, by sending a document containing active content, such as Excel spreadsheets with a malicious macro.
To further raise the bar, such active content could be disabled altogether or its execution limited to trusted/signed components. In the case of Office, this can be achieved by removing the VBA component from an Office installation or by restricting macro execution to macros stored in a trusted location.
One final weapon attackers can use to bypass these controls is to exploit vulnerabilities in client-side software, such as document readers, email clients and browsers. So, it is paramount to ensure that such software is kept up-to-date. One further step is to implement generic exploit mitigation techniques that will make it harder for attackers to use zero-day exploits.
Some of these controls, such as Address Space Layout Randomisation (ASLR) and Data Execution Prevention (DEP) are offered by modern operating systems as an ‘out of the box’ solution. In certain situations it might be possible to build exploits that bypass these controls; for this reason, further exploit mitigation techniques have been devised, such as those offered by Microsoft Enhanced Mitigation Experience Toolkit (EMET), that are much harder to defeat.
These are ways in which to diminish the initial ways “in” for an attacker, but history has shown us that there still may be the odd successful attempt; therefore, the next article in this series will look at the ways to limit lateral movement by attackers within the organisation, should their attempts be successful to infiltrate the network and how to prevent data exfiltration.
Behind the Scenes
Established in 2003, MWR InfoSecurity is a research-led information security consultancy, with a client list spanning the major world indices and Government agencies & departments. MWR consults with clients around the globe, providing specialist advice and services on all areas of security, from mobile through to supercomputers.
Central to its philosophy is the desire to deliver high quality cyber security consulting services and unsurpassed levels of support to clients. MWR’s focus is working with clients to develop and deliver a full security programme, tailored to meet the needs of each individual organisation.
MWR’s services range across professional and managed services, technical solutions and training covering areas such as security research, mobile security, web defence, phishing, payment security, managed attack detection and incident response.